Import This Malicious User-Agent String Feed

One of the most powerful features of Security Analytics is the ability to create feeds on the fly using the feed creation wizard.

Feeds can be comprised of any values in any meta key. The most common use cases are feeds of malicious IP addresses and Hostname Aliases. However, for this exercise, the RSA FirstWatch Team wants to share its long list of known malware and malicious UserAgent strings. We use this feed internally to identify known malware agents on our own network, and as we discover new malicious User-Agent strings, we will add to this feed as time moves along.

Step 1: Preparation.

In order to take advantage of feeds, you should turn indexing on (IndexValues) for feed.name, feed.category and feed.desc on your concentrators and brokers that will communicate with your capture decoders. This often requires a service restart, so you may need to schedule momentary downtime to get this working properly. The feeds will still work without indexing your values, but any queries against the keys, and any reports that try to take advantage of the new data will be slow to respond to queries.

Step 2. Grab the CSV file.

The CSV file for the feed is attached to the bottom of this post.

Step 3. Run the Wizard.

In Security Analytics, go to Live -> Feeds.

On the next screen, click the big Plus button in the upper right to add a new feed. You will be prompted with a radio button selection. Choose Custom Feed.

Step 4. Program Your Feed

Now you will follow these screen shots to ensure your feed works.

Make sure you are selecting an Adhoc feed. This means it is a one-time installation that can be updated periodically if you need to. Then click Next.

Now you will select which of your decoders are going to house the feed. In my example, my sandbox decoders are selected. Click Next.

Here is the real configuration screen. Since this is not IP related, choose the Non IP radio button. My CSV is meant to contain all of the malicious user-agent strings in column 1 as my values. So select to index column 1.

Since this is all related to HTTP traffic, I've chosen to select service type 80.

The callback key is the key that is normally populated with the values I want to be on the lookout for. In this case, User-Agent strings populate the client key. So I select the client key for Callback Keys.

When you choose to index column 1, it gets grayed out. Now you need to set the column headers for column 2,3 and 4. In this case, you want to select feed.name as column 2, feed.category as column 3, and feed.desc in column 4.

If your screen looks just like below, hit Next.

The next screen is a review screen. Hit Finish and you are done!

Step 5: Look for Results

So what does it look like when you get results? Keep in mind that these UA strings are all related to malware communications. Hopefully you won't see too much, but if you do, you may wish to investigate. You could even create daily alerts and reports to monitor for the presence of these know bad UA strings. But in our malware only environment, it looks like this. If you see similar results, you are likely in big trouble.

It should be noted here that we are confident that this simple feed works to identify malicious activity. I simply drilled into the feed name of malicious ua string, and you can read the feed descriptions for the past 5 days. Also note that there are scores of third party feeds that are in agreement that the observed traffic is associated with malware- with iDefense Reputation being the most prevalent, even above FirstWatch. (FirstWatch usually only looks for things that aren't already identified by someone else.)

Step 6: Updating Your Feed:

To update your feed, simply go back to live and feeds, select your feed and click the edit button.Under step 4 above, you will see a link to download your feed. It will download as a CSV file for easy local editing. And if you want to change the categories and descriptions we've put in place, feel free to do so. When you finish editing your feed, use the wizard to upload it again. You will not have to change any of the configuration parameters.

I forgot to mention that your UA strings that you add to this feed is CASE SENSITIVE. So when you add new UA strings, copy and paste from the session view, not the meta view in Investigator, which forces everything lowercase.

Will do. As I said, I am new to creating manual custom feeds and not quite sure how to implement the meta callback. What I am thinking of doing is creating the feed via 10.3 and trying it in 9.8. The feeds from Live work in 9.8 so this should work too... I think.

I have updated this feed since it was first posted. It now has several UA strings that seem to be common to DDoS malware on your network. This specific DDoS malware make hundreds of get requests to a webserver in the '/" directory using one of these forged UA strings. There are also dynamically generated referer strings as well, so if you get hits on the DDoS portion of the feed, you can validate it by looking for these characteristics.